0

I have a mp4 file (20M size) then I run:

$ binwalk myfile.mp4
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
8061349       0x7B01A5        gzip compressed data, ASCII, last modified: 2038-02-02 16:33:05 (bogus date)

although the date seems weird, using dd:

$ dd if=myfile.mp4 bs=1 skip=8061349 of=zipfile.gz
12755682+0 records in
12755682+0 records out
12755682 bytes (13 MB, 12 MiB) copied, 50.5952 s, 252 kB/s

now with gzip:

$ gzip -l zipfile.gz 
         compressed        uncompressed  ratio uncompressed_name
           12755682           825241902  98.5% zipfile

$ gzip -d zipfile.gz 
gzip: zipfile.gz: invalid compressed data--format violated

So how can I be sure the binwalk output is correct?

user174174
  • 103

1 Answers1

2

First of all, I've never seen binwalk used on a mp4 or any other media file. As this software is developed for extracting firmware, I am not sure if this would even work.

You might want to read binwalks FAQ

From the FAQ:

Why does binwalk's signature scan report false positive results?

Binwalk does a pretty good job of analyzing potential file signatures and filtering out obvious false positives, but it is not perfect.

Some signatures are more difficult to validate than others, and binwalk will always err on the side of caution; that is, it would rather report a potential false positive so that you can then independently validate or invalidate it, rather than not report a questionably valid result.

This part of the FAQ might be of special interest for you.

You can have a look into binwalks magic files and compare it to your data to get a clue why it got flagged as GZIP.

mashuptwice
  • 3,395